Maybe OT, but can't help myself: TLS in 2.1.3

Hi list,
i'm having serious trouble with generating SSL/TLS-certificates.
Obviously it's not a ldap-problem, but i think somebody on the list
(if not everybody) must have done it an could help me.
The story :
I'm migrating from 2.0.25 to 2.1.3.
In 2.1.3 the certificates don't have to be self-signed
(which was allowed in 2.0.x).
Now, i tried to generate the certificates with the openssl-tool,
but i didn't succeed for a week ....
Here's what i've done.
1) I create a self-signed certificate like i did always :
openssl req -new -x509 -days 365 -out /usr/local/ssl/CAkey/certs/CA.pem
\
-keyout /usr/local/ssl/CAkey/private/CAkey.pem
2) Then i create a sign request
openssl req -nodes -new -days 365 \
-out /usr/local/ssl/CAkey/private/CertReq.pem \
-keyout /usr/local/ssl/CAkey/private/Certkey.pem
3) I sign it with CA created in first step
openssl ca -in /usr/local/ssl/CAkey/private/CertReq.pem \
-out /usr/local/ssl/CAkey/private/Cert.pem
I think that's correct so far and runs without an error ...
It produces a file 00.pem in /usr/local/ssl/CAkey/newcerts.
Now, how do i "connect" this with the TLSxxx-directives in
slapd.conf.
I read several tutorials and tried almost everything,
but all i get is an errormessage :
----snipp----
TLS trace: SSL3 alert read:fatal:unknown
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:
SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:964
----snipp----
So how do i have to configurate the TLS-directives ????
TLSCertificateFile /usr/local/ssl/CAkey/???
TLSCertificateKeyFile /usr/local/ssl/CAkey/???
TLSCACertificateFile /usr/local/ssl/CAkey/???
If someone would be so kind to help me in my stupidness ...
and just tells me how to fill the ???? with the correct "files"
i would be very happy ...
greets Harry